Portions of this patent document contain material subject to copyright restriction. The copyright owner has no objection to facsimile reproduction of the patent document after grant, as it appears in the U.S. Patent and Trademark Offices files or records, but otherwise reserves all rights relating thereto.
The field of this application relates to apparatus, methods, and computer program products relating to network management operations and particularly to apparatus, methods, and computer program products for network management protocol adapter security software.
Currently, remote network management entities can gain access to local network management entity management information completely. This is particularly desired by enterprises which are leasing network bandwidth from carriers which have used large-scale network management frameworks to consolidate network management functions for all of the pieces of a leased network into a single platform. An enterprise wants visibility into the part of the network which it has leased. Carriers offer their customers visibility into the network management framework so that customers can see what is happening to the portion of the network they have leased. This is done by a network management system owned by the customer. This network management system communicates with the network management system owned by the carrier using a protocol such as Common Management Information Protocol (CMIP).
In particular, the customer asks for the status of managed objects owned by the customer. Both local and remote users of the network management system interact with the network management information as a set of objects. When a carrier""s network management system receives commands from multiple customers A and B, each requesting visibility into a corresponding portion of the network, the carrier""s network management system needs to ensure that customer A does not see customer B data and vice-versa. It is desirable to restrict such remote access to local network management information. A local user of a management system has its use of the management system and its features and objects restricted by native security features built into the network manager and the computer system itself. However, a remote network management application entity may not be specifically identifiable as a user-id on a host computer system. Accordingly, the local network manager may not be able to exploit the security features of the host computer system to restrict access.
It is further desirable that the view presented to a remote network manager of the local management information tree (MIT) be pruned to include only selected information items. It is technically difficult to implement such restrictions, limitations, and prohibitions. In particular, standard network management protocols, such as the Common Management Information Protocol (CMIP), set forth in International Telecommunication Union (ITU) Standard x.711), provide hooks to install proprietary authentication and authorization, but fail to include standardized authentication and authorization mechanisms.
A computer implemented method and a computer program product according to the present invention, includes a first computer readable code construct configured to handle request messages. This comprises receiving a request message and having an associated user name which is associated with a remote user on a network. Further according to the present invention, making an access determination to determine whether the forwarding of the request message is authorized, and finally when forwarding of the request message is authorized, the message to a target system is forwarded.
According to one embodiment of the present invention, a computer implemented method and a computer program product include a first computer readable code construct configured to handle request messages. This comprises receiving a request message and having an associated user name which is associated with a remote user on a network. Further, making an access determination to determine whether the forwarding of the request message is authorized, and finally when forwarding of the request message is authorized, the message to a target system is forwarded. The MPASS feature provides an open-system approach of agent role authorization and authentication that can be used in interactions with any other management system. According to the present invention, the management protocol adapter security software (MPASS) feature enables a network manager, acting in an agent role, to restrict access to its management information over CMIP communications, with respect to remote network management entities. MPASS allows a network manager to identify remote CMIP network management entities as specific users and to restrict their access to its management information. In particular, according to one embodiment of the present invention, an authentication/authorization mechanism is automatically enforced by a Solstice Enterprise Manager (SEM) framework when the local network management entity receives a remote request, to ensure that only appropriate, limited visibility is provided to peers and superior managers requesting local network management information.
Further, according to the present invention, when multiple users have access to a shared management system, the carrier""s network management framework authenticates and assigns a user name to each MOM and peer manager who connects and provides access control over particular requests, so that each customer sees only the appropriate limited portion of the data stored in the network management framework which the customer is entitled to access. According to the present invention, access to features and objects of the network management system is restricted to particular remote users, who are either assigned a user-id, mapped from their network address and application-entity title, or is optionally assigned a fallback or default user-id.
According to one embodiment of the present invention, a remote user-id is assigned to the remote network management system, to enable the local system to identify its authorization scope.
According to another embodiment of the present invention, a remote user-id is assigned to the remote network management system based upon the remote entity network address and application title, to enable the local system to identify its authorization scope. The MPASS system, according to the present invention, restricts access to local management information by remote network management entities communicating over ITU x.711 CMIP using ITU x.227 ACSE (Association Control Service Element) connections, referred to as associations. The local management information is made available to a remote management entity in the entity""s native network management protocol using management protocol adapters (MPAs) specific to the local manager. Each of the remote applications of the remote managers is identified by an MPA as a remote user with a specific network address and application-entity-title (AE-title), as described in ITU Standard x.650. An AE-title is a presentation layer address, added as a supplement to allow this layer to distinguish different applications that are active at the OSI layer 7, the application layer.
With an MPASS single user feature configured according to the present invention, a specified MPA is assigned a user-id. The MPA and assigned user-id are reserved for a single user, and the MPA restricts access to the management information allowed by that user""s access permissions. With a multi-user feature of MPASS according to the present invention, a specified MPA is assigned zero or more user-ids mapped to the MPA network address and AE-title. With these user-ids, access is restricted by the local manager to only allow associations of specified users. Accordingly, the MPA only presents to a remote user the management information allowed by that remote user""s access permissions.